Tuta
Tuta (formerly Tutanota) is a German-made, open-source encrypted email and calendar service that offers end-to-end encryption for emails, contacts, and calendars. It is the first email provider to implement post-quantum encryption via its TutaCrypt protocol, protecting messages against both current and future quantum computing threats.
Score generated by AI agents based on publicly cited evidence and reviewed by the project maintainer. Not independently validated.
Score History
Timeline events are AI-curated from public reporting. Score trajectory is derived from documented events.
Tutao GmbH was founded in Hanover by Arne Mohle and Matthias Pfau to build accessible encrypted email. The company launched its beta in March 2014, open-sourced the client code on GitHub in September 2014, and exited beta in March 2015. As a pre-revenue startup with proprietary encryption and no IMAP, lock-in was already baked into the architecture, and the closed-source server and tiny team meant limited governance transparency.
Tutanota reached one million users in February 2016 and two million by March 2017. The open-source code established transparency, and paid plans at just 1 euro/month kept monetization clean. However, the proprietary encryption protocol deepened lock-in as more users stored email archives they couldn't export or access via IMAP. The 2017 redesign and encrypted search launch improved usability, and 2FA with U2F/TOTP arrived in August 2017.
A period of rapid feature development: F-Droid publication in August 2018 eliminated Google dependencies, desktop clients launched in December 2018, and the encrypted calendar arrived in July 2019. Tuta transitioned to 100% renewable electricity in March 2019 and launched Secure Connect for journalists. Censorship in Egypt (October 2019) and Russia (February 2020) validated the service's effectiveness against authoritarian surveillance. The free-tier inactivity deletion policy drew criticism as a dark pattern.
The Cologne court ordered Tutanota to monitor a user's account in November 2020, and Germany's Federal Court of Justice (BGH) upheld the order in April 2021, classifying Tutanota as a telecommunications provider subject to surveillance obligations. Sustained DDoS attacks in August-September 2020 caused multi-day outages affecting millions of users. A Sonar-discovered RCE vulnerability in the desktop client (fixed within two days in June 2022) highlighted the risks of the Electron-based approach. Desktop clients exited beta in September 2021 after security review.
Tuta cemented its position as the most security-forward encrypted email provider by launching TutaCrypt, the first post-quantum encryption protocol for email, in March 2024. The rebrand from Tutanota to Tuta in November 2023 accompanied the 10-million-user milestone. A €1.5M German government grant funded post-quantum cloud storage R&D. The first price increase in eight years (from €1 to €3/month) was handled responsibly with grandfathering for existing users. The 2023 'honeypot' allegation was debunked, and Tuta publicly threatened to sue the EU over the Chat Control encryption backdoor proposal.
Alternatives
Australian-based email with excellent IMAP support, fast interface, and strong feature set including custom domains and aliases. Not end-to-end encrypted, so not a privacy-equivalent replacement — but a better option for users who prioritize usability and standard email interoperability over E2E encryption. Scored 12 here (Healthy). Easy switch with full IMAP migration support.
The most popular encrypted email service with a broader privacy ecosystem (VPN, Drive, Calendar, Passwords). Based in Switzerland with stronger jurisdictional protections than Germany. Supports PGP and IMAP via Bridge (paid plans), giving more interoperability than Tuta. Scored 15 here (Healthy). Easy switch — just create an account and start using it, though encrypted email history won't transfer from Tuta.
Dimensional Breakdown
Summaries below were written by AI agents based on the cited evidence. They are editorial interpretations, not independent research findings.
Dimension History
Timeline (43 events)
Tutao GmbH Founded in Hanover, Germany
Arne Mohle and Matthias Pfau founded Tutao GmbH in Hanover, Germany, with the goal of building an easy-to-use encrypted email service. The company was incorporated on January 10, 2012, with registered capital of 25,500 euros. The name Tutanota derives from Latin: 'tuta' (secure) + 'nota' (message).
Tutanota Beta Launches with Automatic Encryption
Tutanota published its first beta version, offering the world's first encrypted email client that automatically encrypts emails end-to-end without requiring users to manage PGP keys. The service launched with web, iOS, and Android clients, making encrypted email accessible to non-technical users for the first time.
Tutanota Web Client Open-Sourced on GitHub
Tutanota published its web client source code on GitHub under the GPLv3 license, becoming one of the first encrypted email services to offer full client-side code transparency. The iOS and Android app source code followed shortly after. This allowed independent security researchers to audit the encryption implementation.
Tutanota Exits Beta After 100,000 Users
After one year of beta testing and nearly 100,000 signups, Tutanota officially exited beta. The release introduced new email domains including tutanota.com, tuta.io, tutamail.com, and keemail.me. Paid features including custom domain support were introduced for the first time, establishing the subscription-based revenue model at 1 euro per month.
Tutanota Reaches One Million Users
Two years after its beta launch, Tutanota reached one million registered users. At this point, every second email sent with Tutanota was end-to-end encrypted. The milestone demonstrated growing demand for accessible encrypted email in the post-Snowden era.
Completely Redesigned Tutanota Version Released
Tutanota published a completely new version of the email client with significantly improved speed and modern design. The redesign addressed long-standing usability complaints about the original interface and modernized the user experience across web and mobile platforms.
Tutanota Reaches Two Million Users
Tutanota reached two million registered users, tripling its user base in approximately one year. Growth was driven by increasing awareness of surveillance concerns and the ease of Tutanota's automatic encryption compared to manual PGP setup.
Tutanota Adds Two-Factor Authentication with U2F and TOTP
Tutanota added support for two-factor authentication using both TOTP (authenticator apps like Google Authenticator) and U2F (hardware security keys like YubiKey). U2F is the most secure form of 2FA, protecting against phishing and man-in-the-middle attacks, and Tutanota was among the first email providers to support it.
First Encrypted Full-Text Search for Email Launched
Tutanota became the first encrypted email service worldwide to develop secure full-text search for encrypted data. The search creates an encrypted index stored locally on the user's device, allowing search without exposing content to the server. The code was published as open source under GPLv3.
First Email Provider to Publish App on F-Droid
Tutanota became the first email service to publish its app on F-Droid, the free and open source Android app repository. This required building a custom push notification system using Server-Sent Events (SSE) to replace Google's Firebase Cloud Messaging (FCM), eliminating all dependency on Google proprietary code and tracking.
Encrypted Desktop Clients Released in Beta
Tutanota published beta desktop clients for Linux, Windows, and macOS, built on Electron. The desktop clients included built-in encryption and allowed users to access Tutanota without a browser, with cryptographic signatures to verify the app matched the published open source code.
Tuta Transitions to 100% Renewable Electricity
Tutanota convinced its data center provider to switch to renewable electricity. All systems including developer laptops, office infrastructure, and email servers for encrypted mailboxes now run on green electricity. Employees also participated in Fridays for Future climate protests.
Secure Connect Encrypted Contact Form Launched on Press Freedom Day
Tutanota launched Secure Connect, an open-source encrypted contact form that enables whistleblowers to securely communicate with journalists. The tool was offered free to news organizations on World Press Freedom Day. It creates an encrypted mailbox for the sender with automatic end-to-end encryption.
First Encrypted Calendar Launched
Tutanota launched the first fully encrypted calendar, built from scratch in under two months. All calendar entries, event descriptions, and attendee information are encrypted end-to-end. The calendar was integrated into the existing Tutanota clients across web, desktop, and mobile.
Tutanota Blocked in Egypt
Egyptian authorities blocked access to Tutanota, making it inaccessible to users in Egypt without VPN or Tor. The blocking was part of a broader crackdown on encrypted communication services in the country. Tutanota provided instructions for accessing the service via Tor Browser.
Russia Blocks Tutanota Email Service
Russian authorities blocked access to Tutanota for all users in Russia. Co-founder Matthias Pfau condemned the blocking as 'censorship of Russian citizens who are now deprived of yet another secure communication channel.' The blocking was part of Russia's broader crackdown on encrypted services. Users could still access the service via VPN or Tor.
XSS Vulnerability Fixed in Payment Processing Page
A cross-site scripting vulnerability was discovered during a regular security review on a payment processing page that could have been used to leak login credentials. The vulnerability was introduced on January 20 during a UI improvement. Tutanota immediately published a server-side fix and moved all payment processing to a separate subdomain. No exploitation attempts were detected.
Sustained DDoS Attacks Cause Multi-Day Outages
A sophisticated, multi-layered DDoS attack campaign began on August 15, 2020, causing downtime for millions of Tutanota users. Attacks continued intermittently through September 17, targeting both Tutanota's servers directly and its DNS providers. Multiple attacks hit on August 27 and September 6, 7, 10, and 13. Some emails sent during outages bounced. No user data was compromised.
Cologne Court Orders Tutanota to Monitor Email Account
The Cologne Regional Court ordered Tutanota to implement a monitoring function for a single account used in a blackmail case. The order required Tutanota to provide unencrypted incoming and outgoing emails — but end-to-end encrypted content remained inaccessible. Co-founder Matthias Pfau called the ruling 'absurd' and confirmed Tutanota would appeal, noting it contradicted a Hanover court ruling that classified Tutanota as not a telecommunications service.
German Federal Court Upholds Surveillance Order Against Tutanota
Germany's Federal Court of Justice (BGH) dismissed Tutanota's appeal and ruled that the company must monitor two accounts for three months in the blackmail case. The BGH classified Tutanota as providing telecommunications services under the Code of Criminal Procedure, contradicting the earlier Hanover court ruling. The decision only applied to unencrypted emails; E2E encrypted content remained inaccessible.
Desktop Clients Exit Beta After Security Review
Tutanota's desktop clients for Linux, Windows, and macOS officially exited beta after two and a half years of development and a security review. The release came with improved stability, offline capabilities, and cryptographic signing to allow users to verify the apps match the open source code.
Tutanota Offers Free Premium Accounts for Open Source Projects
Tutanota began offering free premium accounts to open source project teams, allowing project leaders and core contributors to get encrypted email with custom domains at no cost. Non-profit organizations in select countries also received free business accounts, while NPOs elsewhere got 50% discounts.
Offline Mode Released for Encrypted Email Access
Tutanota released offline mode in beta for desktop clients, allowing users to access encrypted emails, calendars, and contacts without an internet connection. The feature was later expanded to mobile apps and exited beta in 2023, reducing loading times dramatically through local caching of encrypted data.
RCE Vulnerability in Desktop Client Discovered and Fixed
Security firm Sonar discovered a cross-site scripting vulnerability affecting all Tutanota clients, with a chained remote code execution vulnerability specific to desktop clients. An attacker could craft a malicious email that, when opened on the desktop client, could execute arbitrary code after two clicks. Tutanota fixed both vulnerabilities within two days of responsible disclosure. No exploitation was detected.
Subfolders Feature Completed Across All Clients
After years of user requests, Tutanota completed the subfolders feature on all clients — web, Android, iOS, and desktop. This addressed a major organizational limitation that had frustrated users who needed hierarchical email sorting.
Tutanota Reaches 10 Million Users
Tutanota announced it had reached 10 million registered users, a tenfold increase from the one million milestone in 2016. The growth reflected increasing global demand for privacy-focused email alternatives. The milestone was announced alongside new pricing plans.
First Price Increase in Eight Years: €1/Month to €3/Month
Tutanota raised the price of its basic paid plan from €1/month to €3/month (Revolutionary plan), the first increase since launch. The new pricing included upgraded features: 20GB storage (up from 1GB), 15 email aliases, unlimited search, and offline mode. A 50% discount was offered for 24-month plans. Existing subscribers were grandfathered at their original price.
PQDrive Project Receives €1.5M German Government Grant
The German government awarded Tutanota a €1.5 million grant through the KMU-innovativ programme for the PQDrive project — development of a post-quantum encrypted cloud storage solution. The University of Wuppertal received an additional €600,000 as a research partner. The project is expected to create 30 new jobs in Hanover.
Unlimited Custom Domain Email Addresses Released
Tutanota released the ability to create unlimited email addresses with custom domains for all paid plans. Users could create as many addresses as needed with their own domain, while Tutanota domain addresses remained limited to 15 or 30 depending on the plan. This was a competitive advantage over rivals that limit total alias counts.
Ex-RCMP Officer Claims Tutanota Is Intelligence Honeypot
During his trial for leaking classified information, former RCMP intelligence director Cameron Ortis alleged that Tutanota was a 'storefront' — a honeypot designed to lure criminals for surveillance. Tuta categorically denied the claims, pointing to its open-source code and founder ownership structure as proof of independence. Ortis was convicted on four charges under the Security of Information Act in November 2023 but never provided evidence for his Tutanota claims.
Tutanota Rebrands to Tuta with New Domain tuta.com
The company officially rebranded from Tutanota to Tuta, citing that the shorter name was easier to share verbally (especially over the phone for email addresses). The tutanota.com domain redirects to tuta.com, and users gained access to @tuta.com addresses. The rebrand included a new visual identity with minimalist design.
Tuta Opens Second Office in Munich, Hires Record 15 People
Tuta expanded beyond its original Hanover headquarters by opening a second office in Munich, located near the Technical University of Munich (TUM). The company hired a record 15 new employees in 2024, surpassing 30 team members for the first time. The Munich office focused on backend and infrastructure development.
ECHR Rules Weakening Encryption Violates Human Rights
The European Court of Human Rights ruled in Podchasov v. Russia that weakening encryption violates the right to privacy under Article 8 of the European Convention on Human Rights. The landmark ruling confirmed that encryption backdoors would compromise security for all users. Tuta cited the ruling as validation of its position against Chat Control and similar legislation.
TutaCrypt: First Post-Quantum Encryption for Email
Tuta launched TutaCrypt, becoming the first email provider to implement post-quantum encryption. The hybrid protocol combines CRYSTALS-Kyber (quantum-resistant key encapsulation) with X25519 (elliptic curve key exchange), protecting emails against both current and future quantum computer attacks. All new accounts used TutaCrypt by default.
Standalone Encrypted Calendar App Released
Tuta released a standalone quantum-safe encrypted calendar app for Android and iOS, separate from the email client. Features included a calendar widget, contacts' birthdays integration, cross-platform sync, and zero-knowledge push notifications. Apple initially rejected the iOS app because Tuta required a password for account deletion, but the issue was resolved.
TutaCrypt Rollout Extended to All Existing Users
Tuta began migrating all existing user accounts to TutaCrypt post-quantum encryption, extending the protection launched in March 2024 for new accounts. The migration required no user action — accounts were upgraded automatically with email notification. By February 2025, approximately 10% of existing accounts had been upgraded.
Email Labels Feature Launched for Inbox Organization
Tuta introduced color-coded labels as a new email organization feature, complementing the existing folders and subfolders system. Users could assign multiple labels to emails for cross-categorized filing. Labels were drag-and-drop enabled and alphabetically sorted.
Email Import Feature Launches in Beta
Tuta released its long-awaited email import feature in beta for Legend and Unlimited plan users. The feature allows users to import emails from external mailboxes, encrypting them locally before storing on Tuta's servers. This was a significant improvement for data portability, making it easier for users to switch to Tuta from other providers.
French Parliament Rejects Narcotrafic Law Encryption Backdoor
The French parliament voted against the Narcotrafic law amendment that would have forced encrypted communication providers to implement backdoors within 72 hours of a law enforcement request. Tuta had joined the opposition campaign, warning that non-compliance could result in fines of up to 2% of global turnover. The subsequent 'Resilience' bill aimed to prevent future attempts to break encryption.
Coalition of 89 Organizations Publishes Open Letter Against ProtectEU
Tuta joined 89 civil society organizations, companies, and cybersecurity experts in publishing a joint letter urging the EU not to undermine encryption with the ProtectEU strategy (formerly Chat Control). CEO Matthias Pfau warned that strong encryption is essential to protecting human rights and European digital infrastructure. The letter argued that client-side scanning creates vulnerabilities exploitable by criminals and hostile states.
Fast Sync Makes Tuta Apps 10x Faster
Tuta released Fast Sync, a fundamental change to how the app synchronizes data that made all clients approximately 10 times faster. The performance improvement addressed long-standing complaints about slow loading times in encrypted apps and aimed to match the speed of non-encrypted competitors.
Key Verification Feature Released for Anti-MITM Protection
Tuta introduced key verification, enabling users to manually verify the public encryption keys of their contacts via QR code scanning or code comparison. Once verified, the client automatically checks for key consistency in future exchanges, detecting potential man-in-the-middle attacks. The feature complemented the existing Trust On First Use (TOFU) model.
Tuta Publicly Threatens to Sue EU Over Chat Control
Tuta publicly declared it would sue the EU if the Chat Control regulation passes, stating: 'If Chat Control passes, we have two options: sue to fight for people's privacy, or leave the EU. And we've decided to fight. We will never build backdoors or spy on our users.' CEO Matthias Pfau emphasized that weakening encryption would destroy trust in European businesses.
Evidence (38 citations)
D1: User Value Erosion
D2: Business Customer Exploitation
D3: Shareholder Extraction
D4: Lock-in & Switching Costs
D5: Twiddling & Algorithmic Opacity
D6: Dark Patterns
D7: Advertising & Monetization Pressure
D8: Competitive Conduct
D9: Labor & Governance
D10: Regulatory & Legal Posture
Scoring Log (4 entries)
Stripped for Phase 2 re-enrichment